I've recently downloaded the net installation image for Squeeze, but
am really uncomfortable with the fact that I can't establish a firm
trust path to the CD signing key. Is there a canonical place to get
the fingerprint of this key, so that at least one can have some
confidence that the key one is validating with is at least the
widely-known (and generally accepted) one?
As a hack, I've done this on an Ubuntu 10.10 system:
gpg --recv-keys 6294BE9B
gpg --keyring /usr/share/keyrings/debian-keyring.gpg -kvv 6294BE9B
While this shows that this particular key has been signed by some
Debian developers, it doesn't actually validate that the key is the
official key for verifying the ISOs.
Can anyone point me to ANY debian.org page that defines the official
key for CD images? Major bonus for any official links to fingerprints
for the CD signing key.